Dave is a person who is tired of his shower taking too long to heat up. Every morning, he has to wait several minutes for the shower to warm up. He figures that it would be nice if the shower knew when he would wake up and turn on before he gets in the shower. One day, he finds out about the perfect product for his case.
The Active Shower is an IoT device that collects data about when you usually shower on a given day and how warm your showers are. After sending this data to a server to process, it will try to predict the times you shower at and turn on the shower right before you shower. Dave is ecstatic that he has found the device and immediately buys it and installs it in his shower. After a few days of data collection, it begins to make predictions, and Dave’s life becomes much easier.
The Active Shower is connected to Dave’s wifi, so it can communicate with the company’s server. However, the Active Shower is not properly secured against an internet exploit. It is possible for hackers to take control of the Active Shower over the internet. By design, the Active Shower does not control the shower directly. Instead, the server tells the Active Shower what to do.
The hacker knows about this and instead tells the Active Shower to send false data to the server. This data could cause the shower to start turning on at the wrong times since the server makes predictions based on the data. Over time, the predictions become worse and worse. To Dave’s horror, he realizes the Active Shower has kept the shower running throughout the day. The Active Shower has been wasting gallons of water for days.
My recommendations for this kind of device is to limit the amount of communication it does over the internet. The device should also be patched often to protect against vulnerabilities. Another recommendation is to do all the data collection and prediction locally. In this case, the device would not even need to be connected to the internet.